# /etc/default/dnscrypt-wrapper

# This file contains the configuration settings for dnscrypt-wrapper. In the
# unusual event that you may wish to run multiple instances on the same
# machine, this file supports configuring and running multiple instances (see
# the bottom of this file for a sample secondary configuration).

# CHROOTDIR should be the same path as the USER's home directory.
# For the standard dnscrypt user this should be "/run/dnscrypt". For nobody,
# this should be "/".
CHROOTDIR[0]="/run/dnscrypt"
#CHROOTDIR[0]="/"

# The address and (optional) port to listen on. The default port is 53.
LISTENADDRESS[0]="0.0.0.0:53"

# The external IP address and (optional) port to listen on. This is used to
# create the stamp to give to clients. The default port is 53.
EXTADDRESS[0]="127.0.0.1:53"

# The pid file for this instance. PIDFILE must always be specified for each
# instance!
PIDFILE[0]="/run/dnscrypt-wrapper/dnscrypt-wrapper-0.pid"

# Runs the daemon as the following user and chroots to that user's home
# directory (this is a security feature -- it is best not to change this!)
USER[0]="dnscrypt"
#USER[0]="nobody"

# If DNSCRYPTDIR is set, it will look for files crypt_secret.key, public.key,
# and secret.key in the specified directory.
# CRYPTSECRETKEYFILE, PROVIDERPUBLICKEYFILE and PROVIDERSECRETKEYFILE will be
# ignored.
DNSCRYPTDIR[0]="/var/lib/dnscrypt-wrapper"

# Or, if DNSCRYPTDIR is unset, you can specify those files manually.
#CRYPTSECRETKEYFILE[0]="/var/lib/dnscrypt-wrapper/crypt_secret.key"
#PROVIDERPUBLICKEYFILE[0]="/var/lib/dnscrypt-wrapper/public.key"
#PROVIDERSECRETKEYFILE[0]="/var/lib/dnscrypt-wrapper/secret.key"

# PROVIDERNAME is the fully qualified domain name that identifies the server.
# For a LAN service the first example should work (you should replace hostname
# with your actual hostname since it will be used by clients). For a public
# service you should use a real domain like the second example.
PROVIDERNAME[0]="2.dnscrypt-cert.hostname.localdomain"
#PROVIDERNAME[0]="2.dnscrypt-cert.example.com"

# PROVIDERCERTFILE is the location of the pre-signed certificate generated. If
# you are running a public service, it may be desirable to omit this option and
# instead store the generated pre-signed certificate (binary string) in a TXT
# record for your provider name (set by PROVIDERNAME above) so that the
# certificate will be provided by a nameserver instead of directly by
# dnscrypt-wrapper. See /usr/doc/dnscrypt-wrapper-@VERSION@/README.md for more.
PROVIDERCERTFILE[0]="/var/lib/dnscrypt-wrapper/dnscrypt.cert"

# The address of the DNS resolver to use to forward requests. You will probably
# want to change this! If you run your own nameserver (or forwarder) you should
# point it there. You may wish to use the nameserver from /etc/resolv.conf.
RESOLVERADDRESS[0]="8.8.8.8:53"

# Allow and forward unauthenticated queries (not recommended). Defaults to off
# ("no").
#UNAUTHENTICATED[0]="no"

# Where to log.
LOGFILE[0]="/var/log/dnscrypt-wrapper/dnscrypt-wrapper.log"

# Whether or not the server stores logs (self-reported to clients). Default is
# no, i.e. logs are kept.
#NOLOG[0]="no"

# Whether or not the server supports DNSSEC. Default is no, i.e. DNSSEC is not
# supported.
#DNSSEC[0]="no"

# The number of days the certificate is valid (i.e. expiration date). By
# default, if unset, this is 1 day (24 hours).
#CERTEXPIRATION[0]="1"

# A simple example configuration for a second instance
#CHROOTDIR[1]="/run/dnscrypt"
#LISTENADDRESS[1]="0.0.0.0:5353"
#EXTADDRESS[1]="127.0.0.2:5353"
#PIDFILE[1]="/run/dnscrypt-wrapper/dnscrypt-wrapper-1.pid"
#USER[1]="dnscrypt"
#DNSCRYPTDIR[1]="/var/lib/dnscrypt-wrapper/1"
#PROVIDERNAME[1]="2.dnscrypt-cert.hostname.localdomain"
#PROVIDERCERTFILE[1]="/var/lib/dnscrypt-wrapper/1/dnscrypt.cert"
#RESOLVERADDRESS[1]="8.8.8.8:53"
#LOGFILE[1]="/var/log/dnscrypt-wrapper/dnscrypt-wrapper-1.log"
